I was doing Realistic Missions and I had to use XSS to steal cookies from an admin... I saw some tutorials on how it's done but I am confused about the fine point differences between Javascript Code Injection and XSS Cookie stealing.

How does someone "steal" the cookie by injecting javascript:alert(document.cookie) into a trusted website's codes? All you are doing is accessing the Target's cookie on the Target's machine, right? How do you get his cookie information? Do you have to create a fake website first? If so, then I understand the attack a little better. You basically direct an user to a fake website and let the website obtain the User's cookie and then you can access the cookie because you have access to your fake website.